216.73.217.172

A miner and the ClipBanker Trojan being distributed via SourceForge

· Published 08/04/2025 19:06 · Modified 08/04/2025 22:10

Export JSON

Essential information

Published
08/04/2025 19:06
Modified
08/04/2025 22:10
Tags
2025-04-08 autoit clipbanker cryptocurrency miner persistence powershell sourceforge
Related entities
12 techniques (mitre), 1 malware, 1 others

Description

A unique malware distribution scheme exploiting has been discovered. The attackers create a seemingly legitimate project on .net, which automatically generates a .io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading a compressed archive containing malware. The infection chain involves multiple stages, including the use of password-protected archives, Visual Basic scripts, and commands. The main payloads are a and , a Trojan that replaces wallet addresses in the clipboard. The campaign primarily targets Russian-speaking users, with 90% of potential victims located in Russia.

External references